xloader | 5e9aba7aa4cb5b012889435a0bdaf3ac311ff6c7545b5c156f7c3cd3e3510f34

General

Target

5e9aba7aa4cb5b012889435a0bdaf3ac311ff6c7545b5c156f7c3cd3e3510f34.exe
Size

253KB
MD5

a6481e8a071be497473fd37fdabe8d83
SHA1

64ca16d365f80e529446583a8900b7b28d356487
SHA256

5e9aba7aa4cb5b012889435a0bdaf3ac311ff6c7545b5c156f7c3cd3e3510f34
SHA512

1c96776e99411ae50df9cbd534eba221440e6363798458d4668580a0da0dbb5bf37848aad7f19e4de04f907f784492622c88a8f9b770541e9456950b5e259b81

Score

10^/10

xloader arh2 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

arh2

Decoy

hstorc.com

blackountry.com

dhrbakery.com

dezhouofit.com

defipayout.xyz

ginas4t.com

byzbh63.xyz

qrcrashview.com

mialibaby.com

enhaut.net

samainnova.com

yashveerresort.com

delfos.online

dungcumay.com

lj-counseling.net

fliptheswitch.pro

padogbitelawyer.com

aticarev.com

sederino.site

bestplansforpets-japan3.life

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2544-136-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral1/memory/2544-139-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral1/memory/4892-145-0x00000000010A0000-0x00000000010CB000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

ggytbnywzd.exeggytbnywzd.exe

pid process

4776 ggytbnywzd.exe
2544 ggytbnywzd.exe

pid	process
4776	ggytbnywzd.exe
2544	ggytbnywzd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ggytbnywzd.exeggytbnywzd.exemsdt.exe

description	pid	process	target process
PID 4776 set thread context of 2544	4776	ggytbnywzd.exe	ggytbnywzd.exe
PID 2544 set thread context of 1060	2544	ggytbnywzd.exe	Explorer.EXE
PID 4892 set thread context of 1060	4892	msdt.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

ggytbnywzd.exemsdt.exe

pid	process
2544	ggytbnywzd.exe
2544	ggytbnywzd.exe
2544	ggytbnywzd.exe
2544	ggytbnywzd.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe
4892	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1060 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

ggytbnywzd.exemsdt.exe

pid process

2544 ggytbnywzd.exe
2544 ggytbnywzd.exe
2544 ggytbnywzd.exe
4892 msdt.exe
4892 msdt.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ggytbnywzd.exemsdt.exe

description pid process

Token: SeDebugPrivilege 2544 ggytbnywzd.exe
Token: SeDebugPrivilege 4892 msdt.exe

pid	process
1060	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2544	ggytbnywzd.exe
Token: SeDebugPrivilege	4892	msdt.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

5e9aba7aa4cb5b012889435a0bdaf3ac311ff6c7545b5c156f7c3cd3e3510f34.exeggytbnywzd.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 1640 wrote to memory of 4776	1640	5e9aba7aa4cb5b012889435a0bdaf3ac311ff6c7545b5c156f7c3cd3e3510f34.exe	ggytbnywzd.exe
PID 1640 wrote to memory of 4776	1640	5e9aba7aa4cb5b012889435a0bdaf3ac311ff6c7545b5c156f7c3cd3e3510f34.exe	ggytbnywzd.exe
PID 1640 wrote to memory of 4776	1640	5e9aba7aa4cb5b012889435a0bdaf3ac311ff6c7545b5c156f7c3cd3e3510f34.exe	ggytbnywzd.exe
PID 4776 wrote to memory of 2544	4776	ggytbnywzd.exe	ggytbnywzd.exe
PID 4776 wrote to memory of 2544	4776	ggytbnywzd.exe	ggytbnywzd.exe
PID 4776 wrote to memory of 2544	4776	ggytbnywzd.exe	ggytbnywzd.exe
PID 4776 wrote to memory of 2544	4776	ggytbnywzd.exe	ggytbnywzd.exe
PID 4776 wrote to memory of 2544	4776	ggytbnywzd.exe	ggytbnywzd.exe
PID 4776 wrote to memory of 2544	4776	ggytbnywzd.exe	ggytbnywzd.exe
PID 1060 wrote to memory of 4892	1060	Explorer.EXE	msdt.exe
PID 1060 wrote to memory of 4892	1060	Explorer.EXE	msdt.exe
PID 1060 wrote to memory of 4892	1060	Explorer.EXE	msdt.exe
PID 4892 wrote to memory of 1856	4892	msdt.exe	cmd.exe
PID 4892 wrote to memory of 1856	4892	msdt.exe	cmd.exe
PID 4892 wrote to memory of 1856	4892	msdt.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5e9aba7aa4cb5b012889435a0bdaf3ac311ff6c7545b5c156f7c3cd3e3510f34.exe
"C:\Users\Admin\AppData\Local\Temp\5e9aba7aa4cb5b012889435a0bdaf3ac311ff6c7545b5c156f7c3cd3e3510f34.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\Temp\ggytbnywzd.exe
C:\Users\Admin\AppData\Local\Temp\ggytbnywzd.exe C:\Users\Admin\AppData\Local\Temp\jnzqcmqg
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4776

C:\Users\Admin\AppData\Local\Temp\ggytbnywzd.exe
C:\Users\Admin\AppData\Local\Temp\ggytbnywzd.exe C:\Users\Admin\AppData\Local\Temp\jnzqcmqg
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\ggytbnywzd.exe"
3⤵
PID:1856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5hhhsr31fl38xu0xw4o
Filesize
171KB

MD5
f841f8a21fa59b0cd196bc9872bdc25e

SHA1
f98264aaa0fac0cc2753e2c99bb3d44e841213b7

SHA256
1e4d1f543e7f5e23e2270bf6c2f5460a0de2ab0179fcb4d55f166cc5930d885f

SHA512
984d848ec07da5290d07b935bdfa12f7266133ebb9c6bfcaae51b7ab22981db8f15d8f5d028f18ec39e1db379660eb18ec4b63f52a4fc1f635c86a2449f6edc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggytbnywzd.exe
Filesize
74KB

MD5
1a86c6002f3c1faa1236da59ead3890f

SHA1
5c1354c71d2e5e5cf21d2cc64208dadb375fb34e

SHA256
deeca01ebece259db77f5034fba5bebb0df954172e5318dc3ade94593d83e21b

SHA512
a738edca53949f7a63939b77007611dcdec6fb0bd86c36ae3df5f28dfb847ad41377484972fd209183cd213411ff86a6db66360b65496a41f6cdc06bcc876764

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggytbnywzd.exe
Filesize
74KB

MD5
1a86c6002f3c1faa1236da59ead3890f

SHA1
5c1354c71d2e5e5cf21d2cc64208dadb375fb34e

SHA256
deeca01ebece259db77f5034fba5bebb0df954172e5318dc3ade94593d83e21b

SHA512
a738edca53949f7a63939b77007611dcdec6fb0bd86c36ae3df5f28dfb847ad41377484972fd209183cd213411ff86a6db66360b65496a41f6cdc06bcc876764

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggytbnywzd.exe
Filesize
74KB

MD5
1a86c6002f3c1faa1236da59ead3890f

SHA1
5c1354c71d2e5e5cf21d2cc64208dadb375fb34e

SHA256
deeca01ebece259db77f5034fba5bebb0df954172e5318dc3ade94593d83e21b

SHA512
a738edca53949f7a63939b77007611dcdec6fb0bd86c36ae3df5f28dfb847ad41377484972fd209183cd213411ff86a6db66360b65496a41f6cdc06bcc876764

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnzqcmqg
Filesize
4KB

MD5
c80d72ff5634420064095398d5044ba9

SHA1
eae9cca26c2027e4706e0079f533d57312afe080

SHA256
eff27c3b368bdc2a2af24a546d4b05cfda6090380f3f0c553549438d36026c84

SHA512
338854ad70c4b2f2123b1a438c0b29876ff20d65b6ae9f1fa0182298ea1957c90d96cd4793de39a177bded39039f366011e32fea2d63f264cc94136399461e68

Download Submit
memory/1060-149-0x0000000002760000-0x00000000027FE000-memory.dmp

Filesize
632KB

Download
memory/1060-142-0x0000000002C50000-0x0000000002DB2000-memory.dmp

Filesize
1.4MB

Download
memory/1856-146-0x0000000000000000-mapping.dmp

Download
memory/2544-139-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2544-136-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2544-141-0x00000000005B0000-0x00000000005C1000-memory.dmp

Filesize
68KB

Download
memory/2544-140-0x0000000000BC0000-0x0000000000F0A000-memory.dmp

Filesize
3.3MB

Download
memory/2544-135-0x0000000000000000-mapping.dmp

Download
memory/4776-130-0x0000000000000000-mapping.dmp

Download
memory/4892-143-0x0000000000000000-mapping.dmp

Download
memory/4892-144-0x0000000000630000-0x0000000000687000-memory.dmp

Filesize
348KB

Download
memory/4892-145-0x00000000010A0000-0x00000000010CB000-memory.dmp

Filesize
172KB

Download
memory/4892-147-0x0000000003150000-0x000000000349A000-memory.dmp

Filesize
3.3MB

Download
memory/4892-148-0x0000000002EF0000-0x0000000002F80000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads